From 31530e50b7b114b06459805483ca00a9fc604be1 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Fri, 6 Jan 2023 13:28:57 +0100
Subject: [PATCH] Update FP

---
 ...eation_win_susp_file_download_via_gfxdownloadwrapper.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
index aa78f8cbc..98bc09e1c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
-modified: 2021/11/27
+modified: 2022/01/06
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -18,7 +18,9 @@ detection:
         Image|endswith: '\GfxDownloadWrapper.exe'
     filter:
         CommandLine|contains: 'gameplayapi.intel.com'
-        ParentImage|endswith: '\GfxDownloadWrapper.exe'
+        ParentImage|endswith: 
+            - '\GfxDownloadWrapper.exe'
+            - '\igfxEM.exe'
     condition: image_path and not filter
 fields:
     - CommandLine